This blog post discusses some multi-layered security approach with several MFA based authentications.
In the current world, cyber-security has become the biggest threat! With the rise of hackers, powerful hacking equipment / techniques, even people with bare minimum knowledge of computing can become hackers.
This blog post in a certain way shows techniques to reduce the attack area. In the past, I have written few blog posts regarding cyber-security, this is in continuation of the overall concepts. Here are the blog posts:
The over-all concept is about using one-time use VPN profiles with time limits on the validity of the connection. i.e Once I create and connect to a VPN server, if anyone ever gets hold of the VPN profile and attempts to connect, the connection should not be allowed and based on organizations policy, breach alert should be sent / any other mitigation action should be performed.
As of now, ALight Technology And Services Limited does not have any other employees but, based on employee permissions and categories, the VPN’s outbound IP address should be segregated i.e x.x.x.x for accessing accessing production environments, y.y.y.y for different set of resources etc…
By doing this type of segregation, it becomes easy to segregate cloud workloads on top of IAM policies in AWS / RBAC in Azure. Moreover the policies can be restricted.
This being the over-all policy, I am going to implement such a implementation soon. In the anouncements blog – ALight Technology And Services Limited: Internal maintenance, server migration (alightservices.com), I have mentioned about moving most AWS cloud workloads into Azure for easier management reasons, because the biggest workload of ALight Technology And Services Limited – WebVeta is going to be hosted on Azure. Because I am attempting Azure Certified Developer Associate certification on September 15th (Thanks Microsoft for the free exam voucher, gratitude). I am planning to get the Server migration completed by September 20th. The planned one-time use VPN profiles implementation + moving developer workload into the cloud by September 25th – i.e After this implementation, the source code, development, visual studio would be in the cloud. My laptop would not have anything critical. I am considering doing a webcast soon and would cover the following topics:
- Using YubiKey for logging into laptop – not too useful, because this step can be bypassed and any other laptop can be used.
- Setting up one-time use OpenVPN profile secured by a random password with pre-configured validity – One of the critical step.
- Biometric Authentication MFA for accessing AWS for getting the OpenVPN profile.
- Accessing internal servers i.e RDP for Windows / SSH for Linux and requiring YubiKey – Another critical step – TODO i.e I still need to implement this step. / Alternatively, having a different kind of MFA requirement prior to accessing RDP for Windows or SSH for Linux.
By doing the above set of activities, the following multi-layered security can be implemented:
- MFA for accessing VPN profile.
- One-time use VPN profile with pre-configured validity.
- Random and different password for each profile.
- Alerts / Mitigations for any breach / second attempts – sometimes could be false alarm i.e network reasons.
- Requiring another layer of MFA for accessing the VPN profile.
- Another layer of MFA for accessing servers.
Now, here are some No-No’s:
- Don’t use the same type of MFA for all the stages, use different form of MFA or different MFA device for each stage i.e lost phone / stolen one-time codes / keys would not affect. If for example, if you are using same totp generator / normal yubikey / mobile phone for SMS, losing the key or phone can cause a breach. But having different MFA at each stage would minimise the problem.
Irrespective of how many layers of security or how much cyber security measures, implement logging, monitoring, metrics, alerting and do review the logs, monitor metrics for abnormalities. Have a plan of action i.e what to monitor, what are considered normal, what are considered abnormal, how to detect and attack, what needs to be done during an attack for mitigation, what needs to be done for reversing the damage, how to identify the damage, root-cause analysis, future mitigation, communication plan based on what has happened.
I am hoping this blog post and some of my previous blog posts, can help small SME’s and small startups like mine.
–
Mr. Kanti Kalyan Arumilli
B.Tech, M.B.A
Founder & CEO, Lead Full-Stack .Net developer
ALight Technology And Services Limited
Phone / SMS / WhatsApp on the following 3 numbers:
+91-789-362-6688, +1-480-347-6849, +44-07718-273-964
+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)
kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.